Privacy Policy

1. Who we are

This Privacy Policy (“Notice”) describes how [Secret Agents Legal Entity Name] (“Secret Agents,” “we,” “us”) collects, uses, and shares information in connection with the Secret Agents Client CRM (the “Service”). Our registered address is [Entity Address]. For privacy inquiries, contact [privacy@secretagents.co].

2. Scope of this Notice

This Notice covers:

• Information about Users who access the Service (for example, a Customer’s owner, manager, or viewer signing in).
• Information about leads that Customers manage in the Service (“Customer Data”), including individuals whose details enter the Service from campaign forms or Customer uploads.
• Information generated by use of the Service (logs, security events, and limited usage telemetry).

This Notice does not cover campaign forms or other Secret Agents marketing properties operated outside of the Service, which may be governed by separate notices.

3. Our roles

The Service is offered to business customers (each a “Customer”). With respect to information about a Customer’s leads (Customer Data), the Customer is the controller (or “business” under similar regimes), and Secret Agents acts as a processor (or service provider) on the Customer’s documented instructions. With respect to information about a Customer’s Users (for example, login email and role), Secret Agents is the controller.

If you are an individual whose information appears in Customer Data and you have questions about how your information was collected, please contact the business whose campaign you responded to. We will reasonably assist that business in responding to requests we receive directly.

4. Information we collect

4.1 User account information

We receive name, email address, profile image (where provided), authentication tokens, and organization membership through our authentication provider (Clerk) when a User signs up, accepts an invitation, or logs in.

4.2 Customer Data

Customer Data is information Customers and their Users create, import, or ingest into the Service. It may include lead name, email, phone number, lead context notes, campaign source, status, deal size, appointment time, custom field values, and notes added by Users.

4.3 Operational data

We collect webhook delivery logs, error logs, sign-in events, and limited feature-usage telemetry sufficient to operate, secure, and improve the Service.

4.4 Special-category data

The Service is not intended to collect special-category personal data (for example, data revealing health, biometric identifiers, or government identifiers). If you become aware that such data has entered the Service, please contact us so it can be removed.

5. How we use information

We use information to:

• Provide, operate, and maintain the Service, including scoping data to the correct Customer organization.
• Authenticate Users and enforce role-based access.
• Route inbound leads to the correct Customer organization using per-Customer ingest tokens.
• Render dashboards, analytics, and notifications.
• Send service messages, updates, and security notifications.
• Ensure security, integrity, and fraud or abuse prevention.
• Comply with applicable law and respond to lawful requests.

6. Legal bases for processing

Where Secret Agents is the controller, we rely on (i) performance of a contract with the User; (ii) our legitimate interests in operating and securing the Service; (iii) consent, where required; and (iv) compliance with legal obligations.

For Customer Data, the Customer is responsible for establishing an appropriate lawful basis for processing, for issuing any required notices to data subjects, and for obtaining any required consents.

7. Sharing and sub-processors

We share information with the following categories of sub-processors, each engaged under appropriate contractual safeguards:

• Convex — backend platform that hosts our database and serverless functions.
• Clerk — identity and authentication, including session management.
• Zapier — pipeline service used by Customers to route inbound leads to the Service.
• Slack — destination of per-Customer outbound notification webhooks, where configured by the Customer.
• [Hosting / CDN provider] — to be confirmed (for example, Vercel or Netlify).

A current list of sub-processors will be maintained at [URL to live sub-processor list]. We may also disclose information when required by law, in connection with a corporate transaction, or on a Customer’s documented instruction.

8. International transfers

The Service is operated from [country / region]. Where information is transferred from regions with cross-border transfer restrictions (for example, the EEA, UK, or Switzerland), we rely on standard contractual clauses or another approved transfer mechanism with our sub-processors. Specific mechanisms will be confirmed during legal review and reflected in our Data Processing Addendum.

9. Retention

We retain User account information for as long as the related account is active and for a reasonable period thereafter. We retain Customer Data for the term of the Customer’s subscription and for [N] days following termination, after which Customer Data is deleted or anonymized except where retention is required by law. Operational logs are retained for [N] days.

10. Security

We use administrative, technical, and physical safeguards designed to protect information against loss, misuse, and unauthorized access, including tenant-isolation controls that scope each Customer’s data to its organization. No method of transmission or storage is completely secure, and we do not guarantee absolute security.

11. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, port, or object to the processing of your information, and to withdraw consent. To exercise these rights with respect to your User account information, contact [privacy@secretagents.co]. With respect to lead data held in the Service on behalf of a particular Customer, please direct requests to that Customer; we will assist the Customer as its processor.

12. Cookies and similar technologies

We use cookies and similar technologies necessary to authenticate sessions and operate the Service (including those set by Clerk and Convex). We do not use advertising cookies in the Service. Where required, we will provide additional notices and choices.

13. Children

The Service is not directed to children under [16 / 13] and we do not knowingly collect personal information from them.

14. Changes to this Notice

We may update this Notice from time to time. We will post the updated version and revise the version identifier and effective date. Material changes will be communicated to active Customers in a reasonable manner.

15. Contact us

Questions about this Notice or our practices may be directed to [privacy@secretagents.co]. Postal: [Entity Name, Address].